YRSCommercial and YRSFood endeavors to comply with the rules regarding GDPR. They came into force as of the 25th May 2018 and we have been operating our GDPR workflow since. You as a client are responsible for the use of images once they have been issued to you. The studio will not be held responsible should actions occur following your publication of any images produced and provided by the studio. It is your responsibility to vet all images individually to protect yourself from any form of legal action.
If you are unsure of what GDPR is and the legislation behind it, please follow this link to Wikipedia.
Principle Data Use & Storage.
Data is retained in the studio for a number of purposes: accounting, customer management, marketing and lastly image archive.
In all cases data is stored in secured servers and digitally archived. The security of our servers and backups is managed through our IT policy - our systems being kept up to date and also through the purchase of security and firewall software. We require data to meet accounting requirements and HMRC. Regardless of any requests to remove any data, this specific data in the form of an invoice is and will be retained for accounting purposes. It is required by UK law.
Customer management data is limited to key contact information on the individual or the business. This is: name, telephone number, cell phone (if offered) and address (business address normally unless it is both private and business). We add to this your website URL / details. Beyond this, data that is volunteered by the customer may be added to the client records - often specifc details of the commission or quotation. It may also be additional contact information or contacts they require in the commission and or third party relationship data (i.e. who their agency or designer is). There may also be a track record of conversations regarding the account - comments on the shoot. This is all the data that is kept. You will be asked if we may keep key contact data through our enquiry response form. We cannot pursue enquiries unless this is responded to. You can find the form here.
All contact data is kept in our customer relationship management system. This again is secure and backed up daily.
Data and phones. No emails are left on our phones. No contact data is left on our phones. Our company phones are password protected. We do not like texting unless absolutely necessary as this data cannot be backed up easily. It is, therefore, deleted at all times once read. In short, we're not big smart phone users and prefer a portable desktop!
Image archive data
All images taken by the studio are stored under a simple layered filing system in a digital management system. The header file name is that of the client - your name or your client's name depending on the commission and agency. Under this the commissions are stored in date order. In the past this has made image retrieval simple for clients (so we can find it when you loose your disk!!!). Under GDPR we are required to declare our process and the data that is contained. Beyond your name (business) and the date of the shoot, the only other data that may be 'tagged' is location.
This data like all other data is backed up and optimized within secure servers. This data will remain as we own the copyright of all images unless agreed otherwise. Should a data removal request occur we will simply de-personalize the image - namely remove company contact and reference data, as we may use the image ourselves in the promotion of the studio.
As copyright holder the images are the property of YRSFood and YRSCommercial (you licence the use from us) and will reside there. We will only store these images for your benefit (you have lost the disk) and our own use in our own marketing activities, as agreed under licence. Should you not wish us to use the images or store the images, you will need to make this clear before contract or licence agreement so that a decision as to whether the studio proceeds with the commission can occur. It is unlikely if the studio cannot use our own images.
The tags mentioned in the above section 'Image Archive Data' are stored in the file of the image. This plus the contact information of the studio and the copyright licence links. You should be aware that such 'EXIF' data may stay with the image you are using and perhaps sharing. You can view this data in your file management systems under the properties of the file. We will, if requested, remove all reference to the owner and the comission. We will not remove EXIT content referring to contact data for the studio and the licence or copyright.
If you are unsure of what EXIF data is, please follow this link to Wikipedia.
Data & Our Websites.
You will notice that there is a cookie management control bar at the top of the browser page when you view our website(s). We do not assume you comply with cookie use as this is no longer satisfactory since GDPR came into force. We give you the option to opt out. Should you not opt out and wish you had later, we cannot be held reponsible retrospectively. This control bar currently manages all cookies, however we onlyuse two cookies: Statcounter and Google Tracking nothing else.
Data & Images.
This part of GDPR is specific to photography. Please see above for our digital archive data use. In the past we have been asked to photograph employees with your employee numbers, save images files as employee numbers etc and their individual names as file names all to help HR do their job. This is now against GDPR regulations as the action of doing so, attaches personal data to the image - in otherwords, you can idenity the person by the attached data or something about that person from the data.
As such, we have already removed all such data from our image archives / backups and left it at company data only and shoot date only - normal camera files names now existing - and all references to employee names and the empoyment numbers removed from our systems. Please do not ask us to name files with personal data, post GDPR as we do not wish to have to refuse! We know it is a pain, as you can no longer just ring us up and ask for a copy of XYZ's image or perhaps use their employment number as a reference. You will just have to get very, very, very good at describing the individual to us so we can look the the thousands of images we have to pick them out! Sorry don't blame us - yell at your politician!
As for PR images - we used attach personal data in the meta file (naming the individuals in the image) - PR companies love it as it makes life easy. Publications like it because all the data is there in one file for them to use in the press statement. Post GDPR we will not attach any personal data to the file. Any information identifying individuals in the image will be sent in a separate email (naming through description left to right etc) to the contact responsible for the commission. They will now be responsible for marrying up image with people. The same applies to event work, no files will be named using personal data other than the event name and the data of the shoot. A shoot order will be linked where possible to a separate document/email with image personal data - sorry, but its a case of then marrying it up from there.
Data and Exhibtions.
Sorry but events now read like a riot act as we have just mentioned in the previous paragraph! Before we agree to do any event coverage you will be asked how you intend to manage the GDPR requirements of images in crowds and in public places. We may, should the reponse not protect the studio, effectively decline the opportunity to work with you.
In the past we have helped event organisers at every level possible. This includes not only dating images and the location of the event, but also naming the files of key personnel. With GDPR at the change of legisaltion to include data with an image of a person, we will only file the images by file name out of the camera - no changes will be made. We will not add EXIT data beyond the event name and the date the image was take. It wil be the responsibility of the event organiser (client or agent) to the decide whether to label files with further information. Please do not ask us to do it as we do not wish to offend by refusing.
On the day of an event, it is the event organisers responibility to declare to all who attends that a photographer is present and that they should accomodate attendees who do not wish for the image to be captured - think long lens and reportage photography technqiues, do not think only portraits. They should display a coloured badge or some form of identification, so during post production we can remove these images from the collection should they contain images of those unwilling to have the image taken. We will not be held responsible should complaints occur once the images have been passed to the client if no measures are in place. We find a simple RED disk badge or RED tape badge necklace is best to identify 'I do not want my image captured'. We can see it in all lighting. Also should the individual remove or simply not wear this, they forfit all rights when it comes to their image being taken. Such measures are handed out at badge collection points or entry passes.
EXIT data & Social Media.
Once images have been past to the client we will make it clear that EXIT data exists. As a client you are now expected to use the images responsibly recognising the needs of GDPR. Social media such as Facebook or Instagram permits data to be added retrospectively, after posting. This may be data that identifies an individual and is then in breach of GDPR. You may have made all the efforts possible to clear personal data at publishing to only find data is added months later. You are now required to police all your images used indefinately. The studio cannot be held responsible for breaches of GDPR beyond their control - namely you posting images on social media or attaching contact information without the subjects permission in normal media channels or websites.
When someone attaches a name to a post in Facebook even though you have posted it without personal data - it becomes a breach of GDPR. This person may or may not even be employed by you, they may be the subjects friend.
We do not and will not post case studies or examples of client work, which involves people with their names. We have, therefore, withdrawn from Facebook and only use Twitter as linking is less prevalent here and use Instagram for product and food - no people shots. Any posts where third parties attach a name or other data we deem as personal will result in the post being deleted completely and republished without the comments attached. So, please do not attach any personal data to our case studies or posts if you know the individual - banter included!
All existing client contacts were invited to a GDPR completion form through a broadcast email sent in April. We asked customers to give their consent freely and re-fill the form fields: name, telephone number, email, address, website and then ask four simple questions which give us permission to use the data in specific ways. If they have not responded to the email we remove their data automatically as of the 24th of May. Should they then approach the studio again they fall into the new customer contact work flow and consent is requested again. Consent to retain invoice data is not requested and will be retained for the period required with the accounting laws of England. Once out of this period their will be destroyed - paper and digital forms. See below to have data removed by YRSCommercial.
Accounting & Financial Data
We cannot raise an invoice without use of your data VAT rules require complete addressing details and GDPR is retrospective to all data not just new. If we cannot raise an invoice because we have no permission to use and store the data in the first place things again become difficult. It is for this reason we have included all major data points in the enquiry form - even if we do not visit you we need an address - is for the invoice. No address, means no invoice. This is why part one of the form is mandatory and we will not work with anyone if this is not completed first.
New Customer Contact Work flow
COMMUNICATIONS DATA - IT'S FIRST CONTACT. We have adopted a policy of GDPR compliance at first contact. It's still your choice. Namely as there are no guidelines that are clear when an enquiry becomes serious enough to request your permission to use your data (and yes we asked) we have decided that on first contact it is best for use to get this bit out of the way and then its all done.
So you will be sent a permission form should you contact us by any methods other than the on line contact form on the website. You may delay completing the form - we understand totally. But we will request the form and after a period of communications, should this not appear reluctantly walk away from the commission. Sorry, but GDPR is quite specific, to work with you we need data (email, telephone number etc) and the legislation says we need your permission to keep it.
THE PROCESS - STAGE ONE. When you call the studio, your telephone is visible to us - either landlines or cellphone. This number is noted down to return your call. During this call, if this is our first conversation you will be informed that an email will be sent to you requesting permission to store this basic data so that we may continue complying with GDPR. You can see the form here. Beyond this the only data we will store, manage and archive is any email details, addressing details (we do visit on site) and the email traffic. This is stored and audited for your and our own commercial purposes as contractual information is often contained within the unstructured email beyond that of the Quote and the Order Confirmation.
STAGE TWO - OUR GDPR CONTACT FORM. This can be viewed here. Our work flow for any new contact is to first send this to you. We will continue to work with you for a short time but we require this form to be completed to continue working with you. You are to provide THE DATA freely. Should you not wish to complete the form we understand totally as the data is your's and your property. However, as we are required to gain permission and, therefore cannot, we will have to bring discussions to a close and cease working on the commission. We will reach this point before costs or time is incurred on the studio. This action will not be subject to any penalty clauses or costs as we will have made this clear to you from the start and is part of our terms and conditions, also printed upon our quotes. Why? The form has a few basic data points nothing more. It is the basic commercial data we need to work with you and invoice you nothing more.
The first is you name, the second your address, then email and website. We then ask you to confirm you are happy for us to continue storing and using this data for general communications. You are also asked to confirm the country of origin as GDPR only applies to EU and the UK (we're adopting this post Brexit).
There are three more Yes/No blocks. We are required to tell you how your data is to be used. These three blocks are uses beyond basic commercial communication - marketing stuff really! So if you do not want to receive newsletters, promotions etc simply say NO. It stops the marketing team assuming your interested in everything we have to say which is how the data protection act used to work once you opted in. The form takes about 45 seconds to complete. It is not stored on line and is instantly emailed to a secure point on our servers and then transfered to a further secure folder for archiving. We are required by GDPR to provide audit-able proof we gained your permission. Once completed, life returns to normal and your will hopefully never here GDPR from us again - unless the law is changed again!
STAGE THREE, THE PROCESS - A QUOTATION. You contact the studio and ask us to raise a quotation. As you can imagine sometimes timescales do not permit all the tooing and froing of forms - you need a quote fast. All our quotations are formal - unless a rough idea of cost is requested in an email.
So we need permission to use your data. On point of a formal quotation, where data is used it will be accompanied by a link to complete your permission to use and continue using your data. Hopefully you will complete the form as you wish to go further with ourselves. Should we have not heard from you within the quotation valid period (10 days) and no permission form has been completed, your details will be deleted from our systems 30 days from the date the quotation was raised. We keep the quotation for 30 days for simple reference only.
STAGE FOUR, THE PROCESS - COMMISSION SHOOT. Some of our clients literally out pace the possibility of admin, or so they'd like us to think! GDPR is a bit of a pain when you call 4.30pm in the evening for an 8.30am press shoot the following day. We understand this, so hopefully when the admin catches up you will fill in the form. As the form has all the data on it, we need for the invoice we would appreciate it.
Data Protection Officer.
As this is such a headache to the business - and yes, we applied to all previous Data Protection Laws before hand but this has been a pain - we have appointed a data protection officer (victim). They handle all the GDPR issues and make sure our procedures are followed. They will also police the requests for consent and should a client or new prospect fail to provide consent and continue to engage the studio - will orderly withdraw the services of the studio from the commission before contractual stage. Please try and mae their life easier!
Right to View & Export Data.
Your have the right to review and export any data we have on you. Email gdpr @ your-reflection.co.uk and we will provide you with a report.
Data Removal & Right to be Forgotten.
Our customers have the right to request deleting their personal data. You can request that we remove your data from our general correspondence systems by emailing us at gdpr @ your-reflection.co.uk HOWEVER, we are required to keep invoicing data for HMRC requirements. Your data is contained within the invoice. This data will therefore be maintained for the period of accounting rules/requirements laws of England . No other data will be retained. Should a client wish to have any data removed they simply email us at gdpr @ your-reflectin.co.uk stating who they are and that they require their data to be removed. They will get a receipt stating that the process will occur immediately - no other communications will then occur. Should you require communication from that point, we will again ask for your permission using our permission form.
Our process of paperwork is simple. Quote then Order Confirmation and the Invoice. However, sometimes need over takes administration as a commission may need completion in hours and simply overtakes the quote stage. We would prefer not to do this but commercial often ignores politicians and lawyers and gets on with the real job! In such circumstances an order confirmation will be sent as soon as possible relating to the commission. You will however, be verbally and if possible emailed to look at our GDPR policy and licence pages which are on our website before you make any decisions.
Once the Image has left our hands.YRSCommercial and YRSFood is not liable for any GDPR infringements once the images have been distributed to you via WeTransfer, Sharing , distribution and general use (especially if containing images of employees) itis your responsibility. As part of your licence you will be drawn to the paragraph that states you are required as an employer to gain clear permission to photograph any employee and this includes our right of copyright and the use in marketing of the studio.
GDPR rant over... other than that we're still a photography studio... We think...!